A vulnerability in LibKSBA allows code execution in GnuPG

The news recently broke that it was critical vulnerability identified (already cataloged under CVE-2022-3515 and that it has a solution) in the LibKSBA library, developed by the GnuPG project and providing functions for working with X.509 certificates.

The bug found causes integer overflow and writing of arbitrary data out of the allocated buffer when parsing ASN .1 structures used in S/MIME, X.509, and CMS.

What makes the vulnerability take the value of "critical" is that the problem is aggravated by the fact that the library Libksba is used in the GnuPG package, and the vulnerability could lead to remote code execution from the attacker when GnuPG (gpgsm) processes encrypted or signed data from files or email messages using S/MIME. In the simplest case, to attack a victim using a mail client that supports GnuPG and S/MIME, it is enough to send a specially formatted email.

A serious bug has been found in Libksba , the library used by GnuPG to parse ASN.1 structures as used by S/MIME. 

Vulnerability could also be used to attack dirmngr servers that download and parse Certificate Revocation Lists (CRLs) and verify certificates used in TLS. An attacker-controlled web server can carry out an attack on dirmngr, by returning CRLs or specially crafted certificates.

Note that publicly available exploits for gpgsm and dirmngr have yet to be identified, but the vulnerability is typical and nothing prevents skilled attackers from preparing an exploit on their own.

The main user of Libksba is gpgsm , the S/MIME cousin of gpg . There it is used to analyze all kinds of input data, in particular, signed or encrypted data in files or emails. Therefore, feeding a user malicious data can be easily achieved.

A second user of Libksba is dirmngr , which is responsible for loading and parsing certificate revocation lists (CRLs) and verifying certificates used by TLS (ie https connections). Mounting an attack is a bit more complex, but it can still be easily done by using a rogue web server to serve a Directory of web keys, certificates, or CRLs.

Of the affected parties the following are reported for the vulnerability:

• Most software using Libksba versions up to 1.6.1
• All versions of Gpg4win from version 2.0.0 to 4.0.3
• All versions of GnuPG VS-Desktop® from 3.1.16 to 3.1.24
• All GnuPG installers for Windows from version 2.3.0 to 2.3.7
• All GnuPG LTS installers for Windows from version 2.1.0 to 2.2.39

As already mentioned at the beginning the vulnerability was already fixed in the Libksba 1.6.2 version and in binary builds GnuPG 2.3.8 since since the failure was reported, a grace period is given so that the necessary corrections can be made before its disclosure.

On Linux distributions, the Libksba library is usually provided as a separate dependency, but on Windows builds it is integrated into the main GnuPG installation package.

It is worth mentioning that for users who have already performed the relevant updates, it is recommended that they do not forget to restart the background processes with the command “gpgconf –kill all”. Also, to check for a problem in the output of the “gpgconf –show-versions” command, you can evaluate the value of the “KSBA ….” line, which should indicate a version of at least 1.6.2.

All the updates for distributions have not yet been released, but you can follow its appearance on the pages: Debian, Ubuntu, Gentoo, RHEL, SUSE, Arch y FreeBSD. The vulnerability is also present in the MSI and AppImage packages with GnuPG VS-Desktop and in Gpg4win.

Finally for those who are Interested in learning more about it, you can check the details In the following link.